Ben, we are disappointed by this decision but want to reaffirm Entrust’s commitment to continued execution of our improvement plan and re-establishing confidence with Mozilla and the Web PKI community. We also appreciate your support and endorsement of our plan to continue to operate as a delegated RA through our partnership with SSL.com. We’ll continue to provide updates here on both fronts.
On Wednesday, July 31, 2024 at 11:01:14 AM UTC-4 Ben Wilson wrote: > Dear All, > > This email announces Mozilla's decision regarding Entrust’s recent > compliance incidents > <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/uKzergzqAAAJ>. > > After careful consideration of the nature of these incidents, Entrust’s > proposal for addressing the incidents, and the community’s feedback, we > have decided to set TLS distrust-after dates for the Entrust root > certificates which are currently included in Mozilla’s Root Store. > > Mozilla previously requested > <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/uKzergzqAAAJ> > > that Entrust provide a detailed report on these recent incidents and their > root causes, an evaluation of Entrust’s recent actions in light of their > previous commitments given in the aftermath of similarly serious incidents > in 2020, and a proposal for how Entrust will re-establish Mozilla’s and the > community’s trust. > > Although Entrust’s updated report made an effort to engage with these > issues, the commitments given in the report were not meaningfully different > from the previous commitments which were given in 2020 and broken in the > recent incidents. Ultimately, the proposed plan was not sufficient to > restore trust in Entrust’s operation. Re-establishing trust requires a > candid and clear accounting of failures and their root causes, a detailed > and credible plan for how they can be addressed, and concrete commitments > based on objective and externally measurable criteria. > > Additionally, we are aware that Entrust has reached an agreement with > SSL.com to act as its External Registration Authority (RA), performing > pre-issuance vetting of certificate applicants for SSL.com. We support this > arrangement, recognizing that SSL.com, as the operator of the root CA > within Mozilla’s root CA program, will be responsible for domain > validation, certificate issuance, and revocation, and ultimately, for any > incidents that may occur. > > In summary, we intend to implement a distrust-after date for TLS > certificates issued after November 30, 2024, for the following root CAs: > > CN=AffirmTrust Commercial > > CN=AffirmTrust Networking > > CN=AffirmTrust Premium > > CN=AffirmTrust Premium ECC > > CN=Entrust Root Certification Authority > > CN=Entrust Root Certification Authority - EC1 > > CN=Entrust Root Certification Authority - G2 > > CN=Entrust Root Certification Authority - G4 > > CN=Entrust.net Certification Authority (2048) > > We hope Entrust will work to address the root causes of these incidents > and so eventually re-establish confidence in its internal policies and > processes, its tooling and technology, and its commitment to the Web PKI > community. > > Sincerely, > Ben Wilson > Mozilla Root Store Manager > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c218ac04-3095-458a-93c4-02b520d41227n%40mozilla.org.
